Consensual Sets Does getting consent for cookies have to be all that onerous?

(Update 27th May 2011 – The ICO are giving a 12 months grace period. Various comments seem to confirm the views I set out below – I’ll blog about it in due course)

(Update 22 May 2012 – As the 12 month’s grace period comes to an end I am increasingly concerned that the view explained below and the ideas behind our free to use cookie warning sign may not be compliant – we are watching carefully!)

After a few days of trying to get to grips with the forthcoming Cookie Directive (2 days to go!) I’m starting to feel that the directive is not as bad or ridiculous as many are claiming (as long as some common sense is applied).

I don’t think compliance needs website-wrecking retrofits. I don’t think that the directive dooms all EU websites to a competitive disadvantage. I don’t even think it’s misguided. Here’s hoping anyway.

“has given his or her consent”

It’s these six little words being inserted into the existing law that has put the cat amongst the pigeons. It is the idea of being required to get consent that is the significant change in the law. And it’s the interpretation of what consent entails that is causing the debate.

The unanswered question

A large portion of the recently published government (ICO) guidelines are dedicated to explaining theoretical ways of getting consent. Reading them leaves me with the view that there is quite a lot of flexibility in the definition of “consent”.

The guidelines contradict themselves giving us no option but to make judgement calls. Compare these two statements:

Statement 1. (Overly Optimistic)

You need to provide information about cookies and obtain consent before a cookie is set for the first time.

Statement 2. (Sensible)

One possible solution might be to place some text in the footer or header of the web page

In the case of the second statement, cookies will already have been set, thus directly contradicting statement 1.

This is giving rise to a spectrum of views as to what needs to be done. Statement 1 suggests you’d have no choice but to add a pop-up or a landing page with opt-in’s before you let people get to your website proper (if you are to continue to use say Google Analytics).

Others are using statement 2 to convince themselves that providing a small footer link to updated T&Cs is complying.

I disagree.

Degrees of consent

The reason I hold out hope for common sense prevailing is this statement in the ICO guidelines:

the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent

I interpret that as if you want to use cookies in a very privacy-invading manner then you can only do so by getting water-tight consent before hand (by for example using a pop-up with an acceptance box).

If on the other hand your cookies are more innocent (such as with the not-totally innocent Google Analytics – see previous discussion), then just letting users know you are doing so and giving them an opt-out is sufficient.

If we look at the typical process of getting agreement to terms and conditions on websites we see the following approaches:

Page of T&Cs with “I accept” button at the bottom

Tick box next to “I accept terms and conditions” (inc link to T&Cs)

T&Cs listed on the web page without any “I accept” button

Link to T&Cs without any “I accept” button

In each case the intent of doing this is to get user consent, and I suspect a lawyer would define them all as legally binding forms of consent provided they are used appropriately. The more onerous, less obvious or unusual the terms, the more likely the website owner would be required to use method 1 or 2 as opposed to 3 or 4 for that consent to be legally acceptable.

I feel the same approach can be applied to getting consent for cookie use.

The example of Google Analytics

Imagine a world where every site using Google Analytics required you to click an accept button before you proceeded to the website. It just wouldn’t happen. Users would rebel resulting in either the EU backing down or if they persisted, websites would reluctantly stop using Analytics.

As discussed previously Google Analytics cookies are naughty but not evil. I don’t think the directive seeks to stop websites using Analytics, they just want users to be made aware when they are being used and give users more control. The ICO guidelines state the following in a section that specifically discusses analytics-type software:

You should consider how you currently explain your policies to users and make that information more prominent, particularly in the period immediately following implementation of the new Regulations. You must also think about giving people more details about what you do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.

i.e they are not expecting website owners, in the case of Google Analytics, to require acceptance before the cookies are set. In my humble opinion!

The Attacat approach

I see Google Analytics as a little like CCTV cameras. I’m not a huge fan but I don’t lose sleep over them. I assume it must be a legal requirement to have “CCTV in operation” signs, so that is the approach I’m going to adopt for our site: “Cookies in use”. Of course this would then link to more information and explain how to opt-out.

Does this need to take up lots of real estate on our site? That depends how safe you want to be. Little text link in the footer = higher risk, 100×100 pixel yellow notice = lower risk.

What are we doing? We are aiming for a small cookie icon and size 8 text which may or may not “float” in the bottom right of the screen on all pages. I can’t show it off yet as we haven’t developed it (but we hope to make the directive deadline (24 hrs to go))!

What if I’m wrong?

Actually it doesn’t matter! Why? Because the guidelines are not clear, the ICO will have little choice but to give non-compliant websites (that have genuinely tried to comply) an opportunity to amend their ways. I draw this conclusion from these words in the guidelines:

…if the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.

What’s next?

Answering the same questions about behavioural advertising cookies and especially affiliate cookies is nothing like as straightforward, so that’s a challenge still to be overcome.

As part of our effort to create a resource to help website owners to comply with the directive we have started to create a free cookie audit tool (feel free to test it!). We aim to evolve this into a “guide” that includes practical opinions of what can be done to have a good chance of achieving compliance (there’s no certainties!) with minimal time input from website owners.

Ultimately, if there’s interest, I’d like to think we will have a resource that will allow website owners to create and implement a compliance plan within 30 minutes.

If you’d like to help in anyway, please do get in touch. If you’d like to debate our approach, I’d love to hear from you in the comments below. If you’d like to watch the progress closely you can sign-up for updates at the bottom of this page.

The cookie warning sign we use on this site is also freely available for use but entirely at your own risk (we really aren’t sure if it will be seen as acceptable or not)

I have to admit that I find it staggering that they leave it until the eve of the law coming in to say they are not going to enforce it but such is live.nnSome very interesting developments – the main ones being that they are looking at browser solutions and the one year delay.nnIt looks like it is still going to be important to develop an understanding of cookies and to generally move to a more open.nn”He added that although the Government is not expecting the ICO to enforce the rule on cookies straight away, “this does not let everyone off the hook” and those which do not take action will be taken into account when it enforces the law.”nnSomehow this just adds more uncertainty really.

Have you seen the ICO’s solution ? Horrible ! nI thought I’d see if anyone else has adopted that text, so I stuck it through Google. On page three is the IOW Neighbourhood Watch scheme. Not very impressive, especially as the last thing my Neighbourhood Watch scheme sent me was an email from the local Police which was a scam tracked by Snopes.com at least ten years old

Hi Brendan. Couldn’t agree more! I’m not surprised by how few people have copied it. It’s just wrong. Web marketers need to respect privacy but this is not the answer.nnHave you seen any alternative ideas to trying to comply?

The best effort I’ve seen is West Sussex Councilnhttp://www.westsussex.gov.uk/system_pages/top_nav/help/web_analytics_cookies_and_sta.aspxnI’m not convinced it works but they’ve clearly thought about it and tried to reconcile the spirit of the Directive with practicality.nI’ve pointed out to my MP that his site isn’t compliant – I suggest we all do that and see what happens . . .

Virtuous but out of business. nI love this – someone asked the ICO under the FOE for the stats on their website before and after they implemented their own Guidance. Traffic on weekdays fell from an average above 10,000 per day to less than 1,000. For the data see nnhttp://www.flickr.com/photos/vickyb/5859873960/nFortunately they are not in business (because they wouldn’t be any more), aren’t funded by people who come to their website (ditto), and are not providing an essential public service (because they wouldn’t be any more). nI note that government sites such as “Justice.com” which is now the central portal for all courts and tribunals have chosen not to comply with the Directive. They use Google Analytics so they clearly should. I assume that they won’t be prosecuted. Is the MoJ creating de facto law and can the rest of us rely on the same immunity ? nn

Brendan,nGreat insights as ever – thank you.nnThis is obviously recorded traffic not actual traffic so we don’t know whether the cookie warning has actually put people off using the site. Certainly though they are losing most of their analytics data.nnI had a twitter discussion with the CMO of Quidco who views loss of recorded traffic as worse than loss of actual traffic – I don’t fully see where he is coming from but there is no doubt that losing this amount of data is a serious issue for any site keen to continually improve their website and marketing.nnI think the ICO are actually really pleased about it as they are desperate to show the EU how unworkable their directive is – certainly it’s one of the fastest issued answers to an information request ever!nnRe government sites, there does seem to be a consensus emerging: at least get information about cookies on to your site as per here: http://www.justice.gov.uk/global/privacy/cookies.htm&nbsp;. It seems to me that the government is keen to argue that displaying such information for less invasive cookies is enough.nnDisplay ad networks seem to be getting this Informed Choices information icon idea off the ground and I am pretty sure that the ICO will be making the case to Europe for this being acceptable.nnI still don’t think we can bury heads in sand but some common sense is starting to prevail, at least at the UK level.